By John Q. Hosedrinker 
Launched in 2009, the Beesat-1 CubeSat, a miniature satellite from TU Berlin, experienced operational failures by 2013, rendering its data transmission unusable. A hacker, PistonMiner, successfully restored Beesat-1’s functionality remotely by identifying and correcting a software error, despite limitations in the update mechanism. This involved creating a “Frankenstein Beesat” test model and utilizing the satellite’s existing, albeit limited, communication capabilities. The resulting update not only reactivated data transmission but also unexpectedly restored the onboard camera functionality, demonstrating a potential model for reviving defunct satellites.
Read the original article here
At the 38th Chaos Communications Congress (38C3) in Hamburg, a remarkable feat of hacking and ingenuity was unveiled: the resurrection of the Beesat-1 satellite. Launched by TU Berlin in 2009, this tiny CubeSat, no bigger than a shoebox, ceased functioning in 2013, its data transmission failing. This presented a unique challenge, as its planned update mechanism was non-functional.
This seemingly insurmountable obstacle was overcome by a resourceful hacker known only as PistonMiner. PistonMiner, with ties to TU Berlin, recognized the significant value in restoring Beesat-1, especially considering its high orbit, ensuring a longer lifespan compared to its counterparts which had already disintegrated in the atmosphere. Beesat-1 possessed a surprisingly sophisticated system for its size, boasting two redundant ARM-7 based microcontrollers—microprocessors comparable in power to a Game Boy—a 16 MB program memory, and a 4 MB telemetry memory. It employed two CAN buses, common in automotive systems, and used a 4.8 kbps communication system. The satellite’s orbit demanded efficiency; communication windows from Berlin were limited to 15-minute bursts during six overflights daily.
Initial investigations by TU Berlin pointed toward radiation damage as the primary cause of Beesat-1’s malfunction, focusing on the erratic telemetry data received starting in 2011. PistonMiner, however, took a different approach. Their analysis revealed a pattern of zeroes within the seemingly random telemetry data. This systematic occurrence pointed not to random hardware failure due to radiation, but rather to a software bug. The culprit, they surmised, was the satellite’s boot counter, a component capable of generating such data patterns.
To test this hypothesis, PistonMiner constructed a “Frankenstein Beesat”—a replica of the satellite’s onboard computer—using available documentation, partial source code, and reverse-engineering techniques. This setup allowed for effective testing and debugging via JTAG (Joint Test Action Group) interface. PistonMiner utilized the JTAG access to meticulously probe the system’s behavior and pinpoint the problematic software. The investigation revealed the vulnerabilities of the C++ virtual function tables, the mechanisms that guided how the satellite’s software interacted with its hardware. This became the point of entry for their hacking efforts.
The challenge became a matter of navigating the satellite’s communication system. While the satellite had intended support for large software updates, this feature was not implemented in the final code. This meant that PistonMiner had to meticulously craft a series of small software updates to overcome the limitations of the communication bandwidth and avoid interruptions. This was a substantial undertaking, given the limited communication windows with the satellite.
After several carefully planned and executed communication sessions, PistonMiner successfully uploaded the necessary code patches to Beesat-1. The result was a fully functional satellite, restored to its factory settings. Surprisingly, this recovery also resurrected the on-board camera, previously believed to be non-functional. A subtle error in the camera’s code was discovered – a command to output memory contents simultaneously activated the camera. The Earth’s surface could once again be imaged, though the automatic exposure feature proved unreliable.
Beesat-1 is now available for renewed experimentation and use, potentially by amateur radio enthusiasts. Its functionality includes access to radio beacons for search and rescue services, navigation, and a digipeater for relaying data between radio stations. PistonMiner’s actions, executed with permission, serve as a remarkable example of innovative problem-solving, demonstrating how even seemingly obsolete technology can be resurrected and repurposed through determination, skill, and a deep understanding of software and hardware. The implications extend beyond just the rescue of a single satellite; it suggests a pathway to revitalizing other dormant space assets, significantly extending their operational lifespans and scientific value. It was a testament to the ingenuity and skill of the hacking community and a striking demonstration of what’s possible when technical expertise meets unwavering dedication.